feat: registry hardening, structural analysis, single-repo MCP default

[carlos-alm]

Summary

• Multi-repo registry hardening: pruneRegistry() for stale entries, --repos allowlist for access control, auto-suffix name collisions
• Structural analysis: new src/structure.js with directory nodes, containment edges, and metrics (symbol density, fan-out, cohesion). New codegraph structure and codegraph hotspots CLI commands
• Single-repo MCP default: MCP server locked to local project by default; multi-repo requires explicit --multi-repo or --repos opt-in
• Security: eliminated SQL interpolation in hotspotsData, broke parser.js ↔ constants.js circular dependency
• v1.5.0 release notes added to CHANGELOG

Test plan

• npm test passes all existing + new tests
• codegraph build . succeeds on self
• codegraph structure and codegraph hotspots produce expected output
• codegraph mcp starts in single-repo mode by default
• codegraph mcp --multi-repo enables multi-repo access
• codegraph registry prune removes stale entries

[greptile-apps]

Greptile Summary

This PR adds v1.5.0 release documentation and hardens the publish workflow. The changes include:

• Workflow hardening: Added release trigger support to extract version from GitHub release tags, verification that version was actually bumped, and pre-publish check to prevent duplicate npm packages
• Release notes: Comprehensive v1.5.0 CHANGELOG documenting multi-repo registry hardening, structural analysis features, single-repo MCP default, and security fixes
• Strategic documentation: New COMPETITIVE_ANALYSIS.md analyzing 21 code graph tools with detailed scoring and roadmap, and FOUNDATION.md establishing 8 core principles for the project
• Updated comparisons: README comparison table now references actual competitors (code-graph-rag, glimpse, CodeMCP, etc.) instead of outdated tools

All documentation changes follow CLAUDE.md conventions (removed prohibited references). No code changes in this PR - exclusively documentation and CI/CD improvements.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - exclusively documentation and workflow hardening
• All changes are documentation updates and CI/CD improvements with no runtime code changes. The workflow enhancements add safety checks (version bump verification, duplicate detection) that reduce publish failures. Documentation is comprehensive and well-researched. Follows CLAUDE.md conventions by removing prohibited references.
• No files require special attention - all changes are safe

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Hardens publish workflow with release trigger support, version bump verification, and npm duplicate check - clean changes with improved safety
CHANGELOG.md	Adds v1.5.0 release notes with comprehensive feature/bug/test documentation, removes prohibited reference per CLAUDE.md
COMPETITIVE_ANALYSIS.md	New comprehensive competitive analysis of 21 code graph tools with scoring, comparison, and roadmap - well-researched documentation
FOUNDATION.md	New foundation document establishing 8 core principles and product positioning - clear architectural philosophy
README.md	Updates comparison table to reference actual competitors instead of outdated tools - improves accuracy and relevance

_{Last reviewed commit: 1571f2a}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[carlos-alm]

Latest: README competitive comparison update

Replaced the feature comparison table with actual competitors from COMPETITIVE_ANALYSIS.md:

Removed (not real competitors):

• Madge, dep-cruiser, Skott — file-level JS-only tools
• Nx graph — project-level monorepo tool
• Sourcetrail — archived since 2021
• GitNexus — PolyForm Noncommercial license

Added (ranked above us + Claude-code-memory):

• code-graph-rag (Bump actions/setup-node from 4 to 6 #1, 1916 stars) — Graph RAG with Memgraph
• glimpse (Bump actions/checkout from 4 to 6 #2, 349 stars) — Rust LLM context tool
• CodeMCP (Bump actions/github-script from 7 to 8 #3, 59 stars) — SCIP compiler-grade indexing
• axon (Bump tree-sitter-javascript from 0.23.1 to 0.25.0 #4, 29 stars) — 11-phase pipeline with KuzuDB
• autodev-codebase (Bump better-sqlite3 from 11.10.0 to 12.6.2 #5, 111 stars) — 40+ languages, Cytoscape.js
• arbor (Bump commander from 12.1.0 to 14.0.3 #6, 85 stars) — Native GUI, confidence scoring
• Claude-code-memory (feat: Rust core engine via napi-rs (Phase 1) #8) — Persistent codebase memory

Also updated the "How other tools compare" section with descriptions for all new entries, trimmed irrelevant old entries (Sourcegraph, CodeSee, Understand, Snyk Code — different product categories).

[carlos-alm]

@greptileai

[greptile-apps]

_{5 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}